The document discusses the critical role of trust and identity in virtual worlds and collaborative spaces, emphasizing the challenges posed by anonymity and potential threats such as online harassment and reputation fraud. It highlights the historical context of digital identity, the evolution of trust mechanisms, and the increasing demand for user-centric identity management. Additionally, it outlines five scenarios for trusted interactions and calls for improved practices and technologies to enhance privacy and security in online environments.

1. Trust and Identity In Virtual Worlds and Collaborative Spaces Anthony Nadalin, Distinguished Engineer, IBM

2. Early Virtual Worlds & Collaborative Spaces Business Applications Commerce Collaboration and Events Education and Training Emerging Business Applications

3. Trust and identity in Virtual worlds and collaborative spaces Think: Wikipedia , Second Life International: open to everybody with access to the Internet Collaborative: free information sharing, user-created content Social: users can establish relationships with other users Everybody can participate – and bad guys can act anonymously Unclear basis for trust in the information you find in Wikipedia Insufficient accountability for inappropriate content in virtual worlds We are in the early days of commercial exploitation of these technologies Resembling situation with electronic mail and spam 10 years ago Trust and identity are key to the success of collaborative space – either way Issues around trust threaten the continued success of collaborative spaces Sound trust and easy to use federated identities enable new services

4. Some examples of issues around trust and identity Online Predators: http://www.cbsnews.com/stories/2007/03/13/tech/main2563414.shtml “… one of a half-dozen documented cases this past year alone in which older men used such Internet sites to set up sexual encounters with minor girls in Connecticut." Illegal Content/Behavior: http://www.theregister.co.uk/2007/02/21/dutch_demand_ban_on_virtual_child_porn/ "... reports about adult players with child avatars soliciting (paid) sex." Online Harressment and Bullying: http://doc.weblogs.com/2007/03/28#whatItIsnt "... abruptly cancelled her appearance at the O'Reilly ETech conference in San Diego, after receiving threatening and sexually graphic messages that made her afraid to leave her house." Reputation Fraud: http://www.msnbc.msn.com/id/17171372/ "... eBay suspended accounts identified in the article, ... the forger merely moved the operation to another Internet auction site for a few months before returning to eBay, setting up new accounts and picking up where he left off." False Claims: http://en.wikipedia.org/wiki/Essjay_controversy "... claimed to hold doctoral degrees in theology and canon law as a tenured professor at a private university, he was in fact a community college dropout from Kentucky."

5. Collaborative spaces and virtual communities * MMOG = Massive Multiplayer Online Game Multi-service Platforms Social Computing 3D/Realtime Internet/MMOGs Common problem: Trust and Identity Enterprise Customers & Governments

6. What is new, compared to 10 years ago? History Public key infrastructure (X509v3, SPKI, PGP, …), digital signature initiatives – late 90’s Microsoft Passport (= Windows Live ID) – 2000 Liberty Alliance – 2001 What changed? Awareness for the role of digital identity Post-9/11 security concerns High-profile privacy incidents – e.g., TJX: lost 45.7 million payment card numbers Identity theft – 3.7% of all US citizens were victims of fraud due to identity theft More valuable data online, e.g., healthcare portals Value Increasing value of identity per se: more and better services Increasing value of portable identity: Web 2.0 connects people and data across enterprise boundaries Increasing demand for user-centric , portable , life-long identity, and reputation Increasing demand for strong identity

7. Scenarios 1. Trusted Content 2. Trusted Collaboration 3. Trusted Roaming 4. Trusted Delegation 5. Trusted Aggregation

8. Scenario 1: Trusted Content Can I trust this collaborative space ? Is all content correct? Is all content authorized? Is all content appropriate for me? What is the creator’s reputation? Can I trust this content ? Is this content correct? Is this content authorized? Is this content appropriate for me? What is the creator’s reputation?

9. Scenario 2: Trusted Collaboration [email_address] [email_address] Request freetime How can Patrick locate Paul’s calendar? Can Paul trust this request ? Is this request legitimate? Who is this requestor? Patrick Paul

10. Scenario 3: Trusted Roaming I want to see what World of Warcraft is about I want to stand in SL look over the bridge into WoW I want to go from “left” to “right” And both with a minimum of overhead – no new registration, no new avatar design, no new reputation I do have an avatar in Second Life

11. Scenario 4: Trusted Delegation Give Alice the right to see Bob’s images How can Bob trust that only Alice sees the pictures, and how can he maintain control over the pictures? How can Bob avoid telling the service who Alice is?

12. Scenario 5: Trusted Aggregation Bank Health Insur. Employer Aggregator

13. Scenarios Interoperability of trust and identity systems User-centricity, transparency, choice Privacy and pseudonymity Reputation of users and spaces Cross-platform capability Specific Scenario 1. Trusted Content Trust in correctness and appropriateness of specific / of all objects in a collaborative space (e.g., Wikipedia, Second Life). 2. Trusted Collaboration Enable freetime-based scheduling of meetings across calendars in different enterprises, using different identity schemes. 3. Trusted Roaming Cross bridges from one virtual world to the other, carrying your identity (avatar, attributes, reputation) with you 4. Trusted Delegation Give your friend access to your digital photos without the fear that the photo server knows who your friends are, or that your friends share your photos with others. 5. Trusted Aggregation Aggregate personal information through a portal, without fear of misuse or fear of identity theft, but with the added value of non-trivial aggregation.

14. State of the Art

15. Some Remarks on Policy Identity Online identities are essentially unregulated Risk associated with using online identities is growing, number of high profile incidents will increase Identity theft, e-banking, healthcare portals, reputation on eBay, … Needed: best practices for trust and identity Privacy Privacy is a top concern for individuals Similar privacy concerns and privacy regulations exist world-wide Current privacy principles (OECD) seemingly collide with Web 2.0 paradigm: minimize vs. maximize info sharing Needed: new societal norms and best practices

16. Identity Technology Status quo Site-specific username / password Low security, vulnerable to phishing, password management up to user Application-specific identity Sharing of identity information only within defined federations Trends User-centric identity User controls release of identities and attributes Decoupling of user’s from service provider’s view Framework provides unified, abstract view on a multitude of specific identity systems Security beyond username / password Username / password  tokens containing identity claims Framework approach enables strong mutual client-server authentication Federated identity, portable identity in Web 2.0 Lightweight, decentralized identity provider for single sign-on Fine-grained, user-controlled attribute sharing with privacy

17. Reputation Technology Summary of actual past behavior, by service provider Real identity Background check against external data Peer reviews portable specific Identity Verification, Identity Proofing = Strong Identity Trust in specific attribute or future behavior?  Digital Identity

18. Outlook

19. 3. Future of Virtual Reality 4. Future of Identity Systems User-centric, transparent identity management Service-specific identities are managed transparently User can create as many identities as he or she wishes User maintains full control over his or her privacy (e.g., pseudonyms) Access to identities is secured through strong authentication Privacy friendly service discovery and search will emerge Portable identities Immersive user interfaces yield rich identities and complex attributes and capabilities Users expect to carry their rich identities from one space (application) to the next 2 . Future of Identity Life-long personal identities People act as “free agents” who manage their digital identities and capabilities independently of their current “employers” or “schools” Identities and attributes become independent from identity providers, and can be freely moved between providers Some will stay for a user’s whole life, and need special protection 1. Future of Identification Strong identity proofing Biometrics increasingly used to prove and authenticate identities Online identity increasingly established through physical world identities Technology Outlook BBC 2007 On average: 20 20% growth/year  IBM GIO 2006

20. An eComm 2008 presentation – http://eCommMedia.com for more